GDPR, CCPA and beyond

With significant enforcement activity, regulators in the European Union and the U.S. are showing they mean business in terms of data privacy.

Two recent EU and U.S. regulator enforcement actions and changes in the U.S. state data privacy law landscape that include the proposal from the California Attorney General’s Office to expand enforcement authority and class action litigation under the California Consumer Privacy Act (CCPA) and U.S. Congress’ consideration of a first- ever comprehensive federal privacy law.

High stakes enforcement

Jan. 21, in one of the largest privacy fines announced globally, the French National Data Protection Commission (CNIL) imposed a €50 million penalty against a tech giant for violating the General Data Protection Regulation (GDPR). This was followed by press reports in February that the U.S. Federal Trade Commission (FTC) was negotiating a multibillion-dollar fine against Facebook to settle the agency’s investigation into its privacy practices. In late July, the FTC formally announced its $5 billion settlement with Facebook following a years-long investigation into the Cambridge Analytica scandal and other privacy breaches. Prior to that announcement, the largest fine the FTC had imposed on a tech company for breaking an agreement with the government to safeguard consumers’ data was a $22.5 million settlement in 2012.

The CNIL’s enforcement action focused on the GDPR’s transparency and consent requirements and provides useful tips for companies looking for guidance on how to design privacy policies and consent tick boxes.

The FTC’s investigation started in the aftermath of the Cambridge Analytica scandal, which focused on the controls a company must have on how its data are shared with and used by third parties. These CNIL and FTC actions signal that data privacy enforcement risk is now among one of the top risks a company must consider as part of its enterprise risk management framework.

Increased scrutiny

After the GDPR’s passage last May, several states are proposing their own data protection laws that provide certain GDPR-like consumer rights. However, the states’ approach has key differences noteworthy for businesses operating in the U.S.

The CCPA, passed in June 2018 in response to the Cambridge Analytica scandal, is slated to become the most comprehensive data privacy law in the country. The legislation goes into effect Jan. 1, 2020, and, like the GDPR, provides certain rights to consumers, including the “Right to Know,” the “Right to Access,” the “Right to Opt-Out” and the “Right to Deletion.” The CCPA expands the definition of personal information and also requires a link on companies’ websites to allow consumers to opt out of data sharing to third parties.

Companies have less than six months to put compliance programs in place for the CCPA, and yet the California legislature has continued to amend the law. Feb. 22, California Attorney General (AG) Xavier Becerra and Sen. Hannah-Beth Jackson introduced legislation designed to strengthen the CCPA. The bill would (1) no longer require the Office of the Attorney General to provide businesses and private parties individual CCPA-compliance advice, (2) remove language that would have previously allowed companies to cure CCPA violations prior to the AG bringing an enforcement action and (3) provide consumers a private right of action to seek remedies for any violations of their CCPA rights, not just limited to data breaches. (The bill was heard by the Senate Appropriations Committee in May but has not progressed further as of early August.)

Twelve other states have introduced similar legislation. If enacted, these laws would result in significant costs for businesses as they try to understand and put in place a privacy framework that would comply with this patchwork of U.S. and non-U.S. laws.

Congress’ response

The 116th U.S. Congress also has introduced several data privacy bills that would implement a federal data privacy standard in the United States. For example, the American Data Dissemination Act (S. 142) would “impose privacy requirements on providers of internet services similar to the requirements imposed on federal agencies under the Privacy Act of 1974.” The Social Media Privacy Protection and Consumer Rights Act of 2019 (S. 189), among other things, would require covered entities to “(1) offer a user a copy of the personal data of the user that the operator has processed, free of charge, and in an electronic format and (2) notify a user within 72 hours of becoming aware that person’s data has been transmitted in violation of the security platform.”

Even the U.S. Government Accountability Office recommends that Congress pass federal data privacy legislation.

If Congress were to do so, it would represent the first-ever federal privacy standard in the United States.

Our advice

Recent enforcement actions mean data privacy should be a top risk managed by companies as part of the enterprise risk management framework. Companies should conduct gap assessments annually to identify any business activities they engage in that are in noncompliance or pose a high risk to the company.

With CCPA, businesses that have employees or customers in California should consider adding the following measures to their compliance project plans for 2019:

• review and revise website privacy policies to meet new data disclosure, consent and opt-out requirements;
• review, revise and deliver training for a new employee privacy notice that complies with the CCPA;
• draft and roll out new processes and train key internal teams that would receive and respond to privacy inquiries and complaints;
• review and test incident response plans that prepare the organization to respond effectively in the case of a data breach; and
• review and roll out master service agreements with restrictions for data used by service providers that are required under the CCPA.

The authors are attorneys with Norton Rose Fulbright, an international law firm headquartered in London. Jeewon Kim Serrato is based out of San Francisco, and Daniel Rosenzweig is based out of Washington. More information is available at www.dataprotectionreport.com.